Solving problems with logging on

After you have installed the Centrify Agent for Windows and joined the computer to a domain, users cannot log on without a role assignment. The role, however, can be assigned to a local account or a domain account, or the role can be assigned the right to access a remote computer. Consequently, users might encounter problems logging on after the agent is deployed. For example, you might find that users can log on to the computer using a local account but cannot log on using their domain account or have trouble connecting to a remote server.

If users report problems logging on, there are some things you can try to troubleshoot the issue:

  • Check the logon rights for the affected users.

    To do this, log on as an administrator and execute dzinfo user-name (where user-name is the name of the user experiencing problems logging on). You can also check user logon rights using the Authorization Center.

  • Try to log on using a local user account or using a different domain account if you have more than one account available.

  • Determine whether the computer you are using is connected or disconnected from the network. In rare cases, authorization information might not be available when a computer disconnected from the network.

  • If users cannot log on to a remote computer, confirm that they have a role that has the remote logon system right and that the computer itself is configured to allow users to log on remotely. Open the Authorization Center to review the list of roles and their associated rights for any user.

  • Check the computer’s local security policy or applied group policies to verify whether the user is allowed to log on interactively or through a remote desktop connection. For example, most domain users are not allowed to log on locally on domain controllers.

    Depending on how your organization has configured native Windows security policies, users might need to be members of a specific Windows security group—such as Server Operators or Remote Desktop Users—to log on to specific computers locally or remotely even if they have been granted access rights using the Windows Login role or a custom role definition.

  • Check to see whether the computer is in Rescue mode.

    In Rescue mode, access to a computer is granted only to users who have Rescue rights. For information about adding Rescue rights to a role, see System rights allow users to log on. In general, a computer enters Rescue mode because the Windows agent authorization service has stopped. Possible causes include the following:

    • The computer is not connected and the local authorization cache has not been initialized or is corrupt.
    • The local authorization cache cannot be updated because the file system is full.

    See Working with the authorization cache on managed computers for more information about the authorization cache and the conditions under which a computer is considered to be not connected.